[Opendnssec-user] AXFR & Socket Error

Lukas Schwaighofer lukas at schwaighofer.name
Sun Nov 15 22:41:56 UTC 2015


I've just changed my DNSSEC setup and I'm now using openddnssec
1.4.6 from Debian jessie. As autoritative nameserver I'm using nsd
4.1.0 (also from Debian jessie). I've configured nsd to use AXFR for
getting the signed zones from nsd.

I'm very satisfied with my setup, but I'm quite frequently getting the
following error in my system's log:

  ods-signer: [socket] unable to handle outgoing tcp response: write()
              failed (Broken pipe)

I couldn't find any information on this problem, so I've tried looking
into it. Here is what I think is happening:

1. nsd is periodically checking if its zone is up to date by issuing an
   AXFR query to the ods-signerd
2. The ods-signerd starts delivering the zone
3. nsd realizes that the SOA has not changed and its zone is already up
   to date. It (half) closes the TCP connection as per RFC 5936, Section
4. osd-signerd keeps sending more information on the zone (which to my
   understanding it shouldn't). As a result nsd sends a TCP RST.
   ods-signerd does not handle this gracefully, thus the socket error

So as far as I can tell, it's safe for me to ignore the error.

Since my setup seems to be quite "normal" I'm a little bit puzzled that
I didn't find any reference to this problem so far. Does anybody else
experience the same problem?

Thank you
Lukas Schwaighofer

More information about the Opendnssec-user mailing list